When a website is compromised, attackers frequently leave behind a backdoor – which is PHP code in a new file or injected PHP code to file that already on the server. These backdoors are not designed to attack a website or destroy data. Typically they allow an attacker to re-enter a targeted website with little to no authentication, providing them with unauthorized access to the system and running anything on server with user permissions.
Here we show a few techniques, how today malware hiding functions to variables and using PHP commands with Obfuscated, like eval, assert, create_functions and etc, running server anything with user permissions.
Hide the commands to a variable
Normal typical eval syntax what used in malware is:
eval(base64_decode("aHR0cHM6Ly9tYWx3YXJlLmV4cGVydA==");
First variation what seen lot of today malware’s:
Split string into variables
$ekjrher = "e".""."va"."l";
$ekjrekr = "base".64."_decode";
$ekjrher($ekjrekr("aHR0cHM6Ly9tYWx3YXJlLmV4cGVydA==");
This is now more difficult detect with signatures than normal eval code, like linux grep command.
php strrev function
Using the strrev function on variable allowed the attacker to reverse the string strrev(‘edo’.’c’.’ed_4′.’6e’.’sab’) into base64_decode
$ekjrher = "e".""."va"."l";
$ekjrekr = strrev('edo'.'c'.'ed_4'.'6e'.'sab');
$ekjrher($ekjrekr("aHR0cHM6Ly9tYWx3YXJlLmV4cGVydA==");
These only work with functions, not with language constructs.
Bitwise XOR operations on strings
Another intresting method hide create_function with PHP Bitwise Operator:
$pMqLHsBZdl=' 434OEq6ERQB36X'^'CFVU; .P0<26ZY6';
Random string pattern
With random string pattern can always generate random strings and command’s also:
$XXeYF7109 = "vl*prq)fm6xtz4u1_0/.adyheg(ncoj7w539i;bk82s"; $command = $XXeYF7109[24].$XXeYF7109[0].$XXeYF7109[20].$XXeYF7109[1];
This is very effective technique in avoiding detection by engines that rely on keywords. Not only that, the string is completely unreadable as it is.